Google Glass susceptible to poison-pill QR code

Google Glass susceptible to poison-pill QR code

Researchers at Lookout mobile security say that they've figured out a way to make Google Glass execute potentially harmful commands by getting it to read a maliciously crafted QR code.

According to a blog post by principal security researcher Marc Rogers, Glass uses optical character recognition technology on every photograph taken scanning for readable text and QR codes, which can contain configuration instructions or web links.

[RELATED:The nastiest cyber security stink-bombs of 2013 (so far)]

[MORE SECURITY:Hacking to rig election earns college student one-year prison sentence]

Rogers says that, as handy as this is for legitimate users offering ways for guests to easily connect to a Wi-Fi network and so forth it's also a potential tool for the unscrupulous. The team at Lookout created a malicious QR code that performed an impressively complete takeover of Glass.

"When photographed by an unsuspecting Glass user, the code forced Glass to connect silently to a hostile' WiFi access point that we controlled. That access point in turn allowed us to spy on the connections Glass made, from web requests to images uploaded to the Cloud. Finally, it also allowed us to divert Glass to a page on the access point containing a known Android 4.0.4 web vulnerability that hacked Glass as it browsed the page," wrote Rogers.

Lookout privately disclosed the vulnerability to Google in May, and a patch requiring user approval for instructions contained within QR codes, among other fixes, was issued in early June essentially removing this particular threat.

However, Rogers wrote that the vulnerability highlights more general concerns about the move toward the "Internet of things."

"The traditional thermostat hanging on an office wall held little attraction to cybercriminals. A connected thermostat -- that can tell whoever controls it how many people live in a house, what technology connects to their network, and, most seriously, when the house is unoccupied -- is an attractive target," he wrote.

Email Jon Gold at and follow him on Twitter at @NWWJonGold.

Read more about anti-malware in Network World's Anti-malware section.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags GooglewirelessNetworkinganti-malwareLookout

More about GoogleQR

Show Comments